JP6993792B2 - Web access control device - Google Patents

Description

The present invention relates to a technique for determining the malignancy of an access destination website, blocking communication to the malignant site, and improving the discrimination accuracy based on feedback from the user.

In recent years, as seen in targeted attacks, attacks have become more sophisticated and pose a serious threat to businesses and nations. In addition, with the sophistication of attacks, it has become difficult to completely block intrusion from the outside. Here, in order to suppress damage after intrusion, it is important to block communication to the outside for the purpose of stealing confidential information and spreading infection.

From the above background, there is a demand for a technology that appropriately controls communication to the outside and blocks suspicious communication.

By using the technique of Patent Document 1, access to a known malignant site can be blocked. In addition, applications such as permitting access only to known benign sites are also conceivable. However, the technology has problems that it cannot deal with unknown sites and that it is necessary to keep updating the list manually.

Here, as in Patent Document 2, a white list with low malignancy, a blacklist with high malignancy, and a gray list that does not belong to any of them are based on the malignancy of the website calculated from the log of the proxy server or the like. There is a technology to automatically generate. As a result, the cost of manually updating the list can be suppressed. There is also a technology that requests additional authentication when connecting to a website included in the gray list, distributes the gray list to the white list when the additional authentication is successful, and distributes it to the black list when it has never succeeded for a certain period of time. Have. As a result, even a website that has not been mechanically sorted into a whitelist or a blacklist can be sorted into either list according to the authentication result.

Japanese Unexamined Patent Publication No. 2005-275604 JP-A-2015-170219

The existing technology does not consider the mechanism for determining the malignancy of a website or the accuracy of the authentication result. Therefore, depending on the accuracy of the malignancy determination mechanism, a website with a high degree of malignancy may be judged as safe, and a website with a possibility of being damaged during access or a website with a low degree of malignancy may be judged as dangerous. There is a possibility that additional authentication will occur frequently and the convenience will be reduced. In addition, if the result of additional authentication differs from what it should be due to lack of knowledge of the user or operation error, the accuracy of sorting from the gray list to each list will decrease, and the same problem may occur. There is sex.

Hereinafter, a malicious website used for a cyber attack will be referred to as a malicious site, and a website that is not a malicious site will be referred to as a benign site.

A typical example of the present invention is as follows. That is, the Web access control device of the present invention is a device that connects a terminal operated by a user and the Internet via a network, and has a plurality of mechanisms in which the degree of malignancy of the accessed website is weighted. A website malignancy determination program that is inferred using the program, and an additional authentication request program that notifies the user when access to a highly malignant site is detected and determines whether or not access is possible based on the user's judgment. The weights of the feedback value calculation program that determines the content to be fed back to the website malignancy determination program based on the user's judgment and its accompanying information, and the weights of each guesser constituting the website malignancy determination program are described above. It is a Web access control device including a weight update program that updates based on a value calculated by a feedback value calculation program.

According to the present invention, it is possible to estimate the malignancy of a website using a plurality of guessers, and to determine the correctness of the guess result by feedback from the user. At this time, the feedback from the user is used, and the weight of the guesser having a high matching rate between the guess result and the user judgment is increased, so that the overall detection accuracy is automatically improved. By combining these, communication to malicious sites is blocked, unnecessary additional authentication and manual update cost of blacklist are suppressed, and convenience is improved.

It is a figure which showed the configuration example of the Web access control apparatus which concerns on embodiment of this invention. It is a figure which shows an example of the authentication information management table which concerns on embodiment of this invention. It is a figure which shows an example of the speculator management table which concerns on embodiment of this invention. It is a figure which shows an example of the guesser weight history which concerns on embodiment of this invention. It is a figure which shows an example of the gray list which concerns on embodiment of this invention. It is a figure which shows an example of the blacklist which concerns on embodiment of this invention. It is a figure which shows an example of the white list which concerns on embodiment of this invention. It is a figure which shows the whole processing flow which concerns on embodiment of this invention. It is a figure which shows the processing flow of the website malignancy determination program which concerns on Example of this invention. It is a figure which shows the processing flow of the list update program which concerns on embodiment of this invention. It is a figure which shows the process flow of the feedback value calculation which concerns on embodiment of this invention. It is a figure which shows the processing flow of weight update which concerns on the implementation of this invention. It is a figure which shows an example of the additional authentication screen (before acquisition of additional information) which concerns on embodiment of this invention. It is a figure which shows an example of the additional authentication screen (after acquisition of additional information) which concerns on embodiment of this invention. It is a figure which shows the processing flow of the weight update in consideration of the time-series change which concerns on the implementation of this invention.

Hereinafter, embodiments (examples) for carrying out the present invention will be described. In this embodiment, a plurality of guessers for determining the malignancy of each weighted site are prepared to determine the malignancy of the accessed website, and if the malignancy is higher than a certain threshold value, the user is notified. Request additional authentication. When the user is requested to perform additional authentication, the user determines whether or not to connect to the access destination website, and only when it is determined that there is no problem, the user breaks through the additional authentication and accesses the website. As a result, it is possible to suppress access to the malicious site by malware or the like that the user does not intend or assumes the existence of the additional authentication and cannot break through the additional authentication. In addition, the user judgment and the result calculated by the website malignancy determination program are matched, and the weight of each guesser constituting the website malignancy determination program is updated depending on whether or not the two match. As a result, the judgment of a highly accurate guesser is emphasized, and the overall malignancy judgment accuracy is improved. Further, when confirming the user judgment, it is estimated whether or not the judgment is correct by using the information obtained incidentally, and the more probable result of the user judgment is reflected in the malignancy judgment mechanism. As a result, it is possible to suppress a decrease in malignancy determination accuracy due to reflecting an erroneous user judgment.

Hereinafter, focusing on these points, examples of the website malignancy determination processing flow, list update processing, and feedback value calculation processing will be described.

FIG. 1 is a diagram showing a configuration example of a Web access control device according to an embodiment of the present invention. The Web access control device 101 according to the embodiment connects the user terminal 121 operated by the user and the Internet 123 via the network 122.

The Web access control device 101 includes a CPU (Central Processing Unit) 103, a main memory 104 for storing data necessary for the CPU 103 to execute processing, and a hard disk or flash memory having a capacity for storing a large amount of data. A storage device 105 such as, an IF (interface) 102 for communicating with other devices, an input / output device 106 for input / output such as a keyboard and a display, and a communication path 107 connecting each of these devices. It is a computer equipped with. The communication path 107 is an information transmission medium such as a bus or a cable.

The CPU 103 adds control of suspicious communication by executing the access relay program 108 stored in the main memory 104, and determination of the malignancy of the accessed website by executing the website malignancy determination program 109. By executing the authentication request program 110, additional authentication of the user who operates the user terminal 121, by executing the access destination information acquisition program 111, information acquisition of the access destination website, and by executing the list update program 112. A value for feeding back the update of the gray list 118, the black list 119, and the white list 120 to the weights assigned to the weights assigned to each malignancy estimator 124 constituting the website malignancy determination program 109 by executing the feedback value calculation program 113. By executing the weight update program 114, each malignancy estimator constituting the website malignancy determination program 109 recorded in the estimator management table 116 based on the calculated value in the feedback value calculation program 113 Update the weight assigned to 124. The storage device 105 manages the additional authentication history 115 showing the additional authentication result of the user operating the user terminal 121 and the accompanying information at that time, and the information of the malignancy guesser 124 constituting the website malignancy determination program 109. Guesser management table 116, Guesser weight history 117 that manages the weights of the guesser for each time series, Graylist 118 that shows suspicious communication destination information, Blacklist 119 that shows dangerous communication destination information, Safe. A white list 120 showing information on the communication destination is stored.

Each of the above programs and data may be stored in the main memory 104 or the storage device 105 in advance, and may be installed (loaded) from the input / output device 106 or from another device via the IF 102 when necessary. May be.

FIG. 2 is a diagram showing an example of the additional authentication history 115. As shown in FIG. 2, the additional authentication history 115 includes an ID 201, an authentication result 202, ancillary information 203, a user identification information 207, and a URL 208. Further, the accompanying information is composed of, for example, the time 204 required for authentication, the number of correct answers 205, and the presence / absence of site information display 206.

ID 201 represents information that can uniquely identify the authentication information.

The authentication result 202 indicates whether or not the user has succeeded in additional authentication. For example, when the authentication result 202 is "success", it means that the user succeeded in breaking through the additional authentication, and when the authentication result 202 is "failure", it means that the user failed to break through the additional authentication.

The incidental information 203 represents information incidentally obtained when the user faces additional authentication. Here, the accompanying information 203 will be described as being composed of the time 204 required for authentication, the number of correct answers 205, and the presence / absence of site information display 206.

The time required for authentication 204 represents the time required from the presentation of the additional authentication screen to the user until the authentication is attempted. For example, if it takes 4.3 seconds to try authentication after the additional authentication screen is displayed, "4.3" is recorded regardless of the success or failure of the authentication. In addition, if there is no attempt to break through the authentication for a predetermined period of time, it is recorded as "timeout".

The number of correct answers 205 represents the number of correct answers out of the total number of characters and the correct answer rate when authentication with a character string is used for additional authentication. For example, if the authentication character string is "abcd" and "abvf" is input, "2 (50%)" is recorded because the first two characters of all four characters are correct. .. The time is calculated by the difference between the time when the additional authentication screen is presented and the time when the additional authentication character string is received from the user in the additional authentication request program 110.

The presence / absence of site information display 206 indicates whether or not the user has requested additional information as a material for determining whether or not the access destination website is malicious at the time of additional authentication. For example, "Yes" means that the user requested additional information, and "None" means that the user did not request additional information. Examples of additional information for assisting the user's judgment include thumbnail images of the access destination website, whois information, DNS information, and the like.

The stored information of the additional authentication history 115 shall be acquired and stored at the time of additional authentication when there is an attempt to access a suspicious site. In addition, this time, the time required for authentication 204, the number of correct answers 205, and the presence / absence of site information display 206 are listed as incidental information, but information obtained incidentally may be used in addition to the information. ..

The user identification information 207 represents information that can uniquely identify the user who has faced additional authentication. For example, in the network environment, if a user assigned the identifier "123" desires the authentication, "123" representing the user is recorded. Although the identifier given to the user on the network system is used this time, the user may be uniquely identified, and for example, the IP (Internet Protocol) address of the user terminal or the user name of the user may be used. ..

URL 208 represents the URL of the suspicious connection destination that is the target of the additional authentication. For example, in the case of "foo.com", the URL indicates that it is a suspicious connection destination subject to the additional authentication. Although the URL is used this time, it is sufficient if a suspicious connection destination can be identified, and for example, an IP address or an FQDN (Full FQDN Domain Name) may be used.

FIG. 3 is a diagram showing an example of the guesser management table 116. As shown in FIG. 3, the guesser management table 116 includes an ID 301, a correct answer rate 302, a weight 303, and the latest malignancy determination result 304.

ID 301 represents information that can uniquely identify each malignancy guesser 124 constituting the website malignancy determination program 109.

The correct answer rate 302 represents the matching rate between the determination result (malignant / benign) for each suspicious site so far and the additional authentication result (non-breakthrough / breakthrough) of the user. For example, in the case of "80%", it means that the judgment result for 0.8N times out of the malignancy judgment chances of N times of the suspicious site matches the additional authentication result of the user. The higher the accuracy rate of the guesser, the higher the accuracy of discriminating the malignant site in the tissue into which the Web access control device is introduced, and the greater the weight is given. A specific processing procedure for calculating the weight given to each guesser will be described later with reference to FIG.

The weight 303 represents a value normalized so that the total value of the weights assigned to each guesser is 1. For example, in the case of "0.2", it means that the guesser has the judgment right of 20% of all guessers.

The latest malignancy determination result 304 indicates how the malignancy of the determination target was determined in the latest malignancy determination opportunity. For example, in the case of "75%", it means that the guesser has determined that the determination target is malignant with a probability of 75%. This time, the malignancy of the access destination website was used as an index to indicate the suspicious degree of the access destination website, but it is an index that can express the suspicious degree such as the benign degree of the access destination website. If so, any information may be used.

The information in the guesser management table 116 may be input or updated by the administrator as necessary.

FIG. 4 is a diagram showing an example of the guesser weight history 117. As shown in FIG. 4, the guesser weight history 117 includes a time 401, a weight 402, a malignancy determination result 403, and a match 404 with the authentication result. Further, the guesser weight history 117 is prepared for each malignancy guesser 124 constituting the website malignancy determination program 109, and stores information about the guesser. Note that FIG. 4 exemplifies the guesser weight history 117 corresponding to the grade guesser 124 whose ID in FIG. 3 is 0.

Time 401 represents the time when the guesser determined the malignancy of the suspicious site. In the figure, year / month / day hours: minutes: seconds. Although the notation of a few seconds is used, any information such as Unixtime, which can determine the time, may be used.

The weight 402 represents the weight of the guesser at the time. For example, in the case of "0.3", it means that the weight of 0.3 was given to the guesser at the time.

The malignancy determination result 403 represents the malignancy calculated by the guesser for the website to be determined for malignancy at the time. For example, in the case of "75%", it means that the guesser has determined that the determination target is malignant with a probability of 75% at that time.

The match 404 with the authentication result indicates whether or not the determination result (malignant / benign) for the suspicious site at that time and the additional authentication result (non-breakthrough / breakthrough) of the user match. For example, in the case of "match", it means that they were in agreement, and in the case of "disagreement", it means that they were not in agreement.

FIG. 5 is a diagram showing an example of the gray list 118. As shown in FIG. 5, the gray list 118 includes an ID 501, a URL 502, an authentication successful user number 503, an authentication failure user number 504, and an authentication result 505 for each user.

ID 501 represents information that can uniquely identify the gray list 118.

URL 502 represents the URL of a suspicious connection destination. For example, in the case of "example.com", it means that the URL is a suspicious connection destination. Although the URL is used this time, it is sufficient if a suspicious connection destination can be identified, and for example, an IP address or FQDN may be used.

The number of successful authentication users 503 represents the unique number of users who have passed the additional authentication of the connection destination. For example, in the case of "2", it means that two users have passed the additional authentication of the connection destination. The number of successes can be calculated by using the authentication result 505 for each user, which will be described later.

The number of authentication-failed users 504 represents the unique number of users who did not break through the additional authentication of the connection destination. For example, in the case of "4", it means that the four users did not break through the additional authentication of the connection destination. The number of failures can be calculated by using the authentication result 505 for each user, which will be described later.

The authentication result 505 for each user represents the latest authentication result for each user with respect to the connection destination. For example, in the case of "123: success, 789: failure", it means that the user with the identifier 123 has passed the additional authentication and the user with the identifier 789 has not passed the additional authentication.

In the gray list 118, the connection destination determined to be malignant by the website malignancy determination program 109 is registered by the list update program 112. The specific processing of the website malignancy determination program 109 and the list update program 112 will be described later with reference to FIGS. 9 and 10.

The information in the gray list 118 may be registered or updated by the administrator as needed.

FIG. 6 is a diagram showing an example of blacklist 119. As shown in FIG. 6, the blacklist 119 includes an ID 601 and a URL 602.

ID601 represents information that can uniquely identify the blacklist 119.

URL 602 represents the URL of the malicious site. For example, in the case of "black.com", it means that the URL is a malicious site. Although the URL is used this time, it is sufficient if the malicious site can be identified, and for example, an IP address or FQDN may be used.

The blacklist 119 is determined to be malignant by the website malignancy determination program 109, and the connection destinations for which the user has not passed the authentication by a certain number or more are registered by the list update program 112. The specific processing of the website malignancy determination program 109 and the list update program 112 will be described later with reference to FIGS. 9 and 10.

The information in the gray list 118 may be registered or updated by the administrator as necessary.

FIG. 7 is a diagram showing an example of the whitelist 120. As shown in FIG. 7, the whitelist 120 includes an ID 701 and a URL 702.

ID701 represents information that can uniquely identify the whitelist 120.

URL702 represents the URL of a benign site. For example, in the case of "white.com", it means that the URL is a benign site. Although the URL is used this time, it is sufficient if the malicious site can be identified, and for example, an IP address or FQDN may be used.

Although the whitelist 120 is determined to be malignant by the website malignancy determination program 109, the connection destinations for which a certain number or more of users have passed the authentication are registered by the list update program 112. The specific processing of the website malignancy determination program 109 and the list update program 112 will be described later with reference to FIGS. 9 and 10.

The information in the whitelist 120 may be registered or updated by the administrator as necessary.

Subsequently, the access relay program 108 of the Web access control device 101 relays the communication from the user terminal 121, the website malignancy determination program 109 determines the malignancy of the access destination website, and the additional authentication request program 110 The user terminal 121 is requested to perform additional authentication, the access destination information acquisition program 111 acquires the information of the access destination website, and the list update program 112 updates the gray list 118, the black list 119, and the white list 120. The feedback value calculation program 113 calculates a value to be fed back to the weight assigned to each malignancy estimator 124 constituting the website malignancy determination program 109, and the weight update program 114 uses the value calculated by the feedback value calculation program 113. A process of updating the weights assigned to each grader 124 constituting the website grader determination program 109 will be described.

FIG. 8 is a diagram showing an overall processing flow of the Web access control device 101. As shown in FIG. 8, the access relay program 108 is executed by the CPU 103 and relays the communication from the user terminal 121 via the IF 102a (step 801).

The access relay program 108 refers to the blacklist, and if the access destination website corresponds to the blacklist, the process proceeds to step 810a, and if the access destination website does not correspond to the blacklist, the process proceeds to step 803 (step 802).

The access relay program 108 refers to the whitelist, and if the access destination website corresponds to the whitelist, the process proceeds to step 811a, and if the access destination website does not correspond to the whitelist, the process proceeds to step 804 (step 803).

The website malignancy determination program 109 calculates the malignancy of the accessed website and proceeds to step 805 (step 804). The malignancy calculation flow of the website malignancy determination program 109 will be described later with reference to FIG.

The access relay program 108 compares the malignancy calculated in step 804 with a predetermined threshold value, proceeds to step 811a if the malignancy is lower than the threshold value, and proceeds to step 806 if the malignancy is higher than the threshold value (step 805). ).

The additional authentication request program 110 requests the user for additional authentication, and proceeds to step 807 (step 806).

Here, it is conceivable that the additional authentication request program 110 uses a method for separating humans and machines, such as CAPTCHA (Completry Automated Turing test to tell Computers and Humans Part), for additional authentication to the user. .. As a result, even if the malware tries to access the malicious site mechanically, it is difficult to break through the authentication, and in addition to the access to the human malicious site, the access to the malicious site by the malware can be suppressed. Of the user. The display screen of the additional authentication request program 110 will be described later with reference to FIG.

The additional authentication request program 110 confirms whether the user has requested additional information at the time of additional authentication of the access destination website, and if there is a request, proceeds to step 808, and if there is no request, proceeds to step 809 (step 807). ..

The access destination information acquisition program 111 acquires the site information of the access destination and displays the acquired information on the user terminal 121 . (Step 808).

The additional authentication request program 110 confirms whether the user has succeeded in the additional authentication, and if it succeeds, proceeds to 811b, and if it fails, proceeds to 810b (step 809).

The access relay program 108 denies the user access to the site and ends the process (step 810a).

The access relay program 108 permits the user to access the site and ends the process (step 811a).

The access relay program 108 denies the user access to the site and proceeds to step 812 (step 810b).

The access relay program 108 permits the user to access the site and proceeds to step 812 (step 811b).

The access relay program 108 receives the additional authentication character string from the user, records the additional authentication information such as the authentication result by the additional authentication character string and the accompanying information at the time of the authentication in the additional authentication history 115, and steps 813. Proceed to (step 812).

The access relay program 108 notifies the list update program 112 and the feedback value calculation program 113 of the user's additional authentication result (whether or not the authentication has been exceeded), and proceeds to steps 814 and 815, which are processes of each program. (Step 813).

The list update program 112 refers to the additional authentication history 115, obtains the additional authentication result of the user, and then updates the gray list 118, the blacklist 119, and the white list 120 using the information (step 814). Each list update flow of the list update program 112 will be described later with reference to FIG.

The feedback value calculation program 113 refers to the additional authentication history 115, acquires the additional authentication result of the user and the accompanying information, calculates the feedback value using the information, and proceeds to step 815 (step 815). The feedback value calculation flow of the feedback value calculation program 113 will be described later with reference to FIG.

The weight update program 114 updates the weight of each guesser recorded in the guesser management table 116 based on the value calculated by the feedback value calculation program 113, and ends the process (step 816).

In step 806, when the maliciousness of the access destination website is equal to or higher than the threshold value, the user is requested to perform additional authentication. However, the user's authentication result is cached and the user performs additional authentication to the access destination site. If the above is exceeded even once, access may be permitted without requesting additional authentication. This can be expected to improve user convenience.

FIG. 9 is a diagram showing an example of the processing flow of the website malignancy determination program 109. As shown in FIG. 9, when the communication destination of the user terminal 121 that is executed by the CPU 103 and is not recorded in the blacklist and the whitelist is received from the access relay program 108, the process is started (step 901). ). The website malignancy determination program is composed of a plurality of malignancy estimators 124, each of which has a weight, and the determination results of each estimator are integrated to calculate the final value. The malignancy estimator here is one that estimates the malignancy of the website from the character string of the URL, and estimates the malignancy of the website from external information (whois information, DSN information, etc.) about the website. It is conceivable that the degree of malignancy of the website is estimated from the contents of the website and the content of the website.

The website malignancy determination program 109 inputs the access destination website received from the access relay program 108 to each malignancy estimator 124, and proceeds to step 903 (step 902).

The website malignancy determination program 109 starts receiving the determination results of each malignancy estimator 124, receives the results from all the estimators, and then proceeds to step 904 (step 903).

The website malignancy determination program 109 records the determination result of each guesser received in step 903 in the guesser management table 116 and the guesser weight history 117, and proceeds to step 905 (step 904).
The website malignancy determination program 109 multiplies the estimation result of each guesser received in step 903 by the weight given to each guesser obtained by referring to the guesser management table 116, and the total value is finalized. It is calculated as a prediction result, and the process is terminated (step 905). The above calculation procedure can be shown by the following calculation formula (Equation 1).

なお、今回は上述の計算式を用いた最終予測結果の算出手順を例示したが、各推測器の予測結果に対して重みを反映させ、最終的に統合する方式であれば、どのような方式を用いても良い。

This time, the calculation procedure of the final prediction result using the above calculation formula was illustrated, but any method can be used as long as the weight is reflected on the prediction result of each guesser and finally integrated. May be used.

Further, the malignancy estimator 124 can be added / deleted, and the administrator may add / delete the malignancy estimator 124 as needed.

FIG. 10 is a diagram showing an example of the processing flow of the list update program 112. As shown in FIG. 10, among the communication destinations of the user terminal 121 executed by the CPU 103, the website malignancy determination program 109 accesses the user's additional authentication result for the website whose malignancy is determined to be equal to or higher than the threshold value. Upon receiving from the relay program 108, the process is started (step 1001).

The list update program 112 refers to the gray list 118, and if the access destination website corresponds to the gray list, the process proceeds to step 1004, and if the access destination website does not correspond to the gray list, the process proceeds to step 1003 (step 1002).

The list update program 112 registers the access destination website in the gray list 118, and proceeds to step 1004 (step 1003).

The list update 112 refers to the additional authentication result of the user received from the access relay program 108, records the additional authentication result in the gray list 118, and the number of successful authentication users, the number of failed authentication users, and the user of the gray list 118. After updating the authentication result for each, the process proceeds to step 1005 (step 1004).

The list update program 112 refers to the additional authentication result of the user received from the access relay program 108, and proceeds to step 1006 if the authentication is successful, and proceeds to step 1009 if the authentication fails (step 1005). ).

The list update program 112 refers to the gray list 118, and if the cumulative number of successfully authenticated users of the accessed website exceeds a certain number, the process proceeds to step 1007, and if not, the process ends (step 1006). ).

The list update program 112 registers the access destination website in the whitelist 120, and proceeds to step 1008 (step 1007).
The list update program 112 deletes the line corresponding to the access destination website from the gray list 118, and ends the process (step 1008).

The list update program 112 refers to the gray list 118, proceeds to step 1010 if the cumulative number of failed authentication users of the access destination website exceeds a certain number, and ends the process if it does not exceed a certain number (step 1009). ).

The list update program 112 registers the access destination website in the blacklist 119 and proceeds to step 1011 (step 1010).
The list update program 112 deletes the line corresponding to the access destination website from the gray list 118, and ends the process (step 1011).

FIG. 11 is a diagram showing a processing flow of the feedback value calculation program 113. As shown in FIG. 11, among the communication destinations of the user terminal 121 executed by the CPU 103, the additional authentication result of the user for the access destination website whose malignancy is determined by the website malignancy determination program 109 to be equal to or higher than the threshold value. Is received from the access relay program 108, the process is started (step 1101). This time, an example of the case where the authentication result 202, the time required for authentication 204, the number of correct answers 205, and the presence / absence of site information display 206 are used as the accompanying information 203 will be described. It is also possible to calculate the final value with different processing flows even when using.

The feedback value calculation program 113 sets an initial value of 1.0 and proceeds to step 1103 (step 1102).

The feedback value calculation program 113 acquires authentication information from the latest entry of the additional authentication history 115, and proceeds to step 1104 (step 1103).

The feedback value calculation program 113 refers to the authentication information acquired in step 1103, and proceeds to step 1109 if the authentication is successful, and proceeds to step 1105 if the authentication fails (step 1104).

The feedback value calculation program 113 refers to the authentication information acquired in step 1103, and proceeds to step 1112 if the authentication has timed out, and proceeds to step 1106 if the authentication has not timed out (step 1105).

The feedback value calculation program 113 refers to the authentication information acquired in step 1103, and if the site information is displayed, the process proceeds to step 1112, and if not, the process proceeds to step 1107 (step 1106).

The feedback value calculation program 113 multiplies the value by 0.5 and proceeds to step 1108 (step 1107).
The feedback value calculation program 113 refers to the authentication information acquired in step 1103, decreases the value according to the number of correct answers, and proceeds to step 1112 (step 1108).
The feedback value calculation program 113 refers to the authentication information acquired in step 1103, decreases the value according to the time required for authentication, and proceeds to step 1110 (step 1109).
The feedback value calculation program 113 refers to the authentication information acquired in step 1103, and if the site information is displayed, the process proceeds to step 1112, and if not, the process proceeds to step 1111 (step 1110).

The feedback value calculation program 113 multiplies the value by 0.5 and proceeds to step 1112 (step 1111).
The feedback value calculation program 113 returns the final value calculated in the steps up to this point, and ends the process (step 1112).

By this process, the certainty of the user's authentication result can be quantified, and feedback can be given to each guesser 124 constituting the website malignancy determination program 109 according to the certainty.

The reasons for using the time 204 required for authentication, the number of correct answers 205, and the presence / absence of site information display 206 as the accompanying information 203 this time are as follows.

The time 204 required for authentication is mainly used to separate human access and malware access. The additional authentication required when accessing a suspicious site does not occur during normal Web access, and while humans can flexibly respond when the additional authentication is issued, the additional authentication is not assumed. Malware cannot break through this and times out. Alternatively, with the sophistication of attacks in recent years, malware with a function to break through additional authentication has been reported, but in this case, it is presumed that the program attempts to break through authentication at an input speed that is difficult for humans to achieve. As described above, the time required for authentication by malware has a characteristic of time-out or extremely short, and is useful for human authentication and classification. Therefore, this information was used.

If the authentication result is successful, the feedback value calculation program 113 subtracts the value to be fed back according to the time required for authentication in step 1109. On the other hand, if the authentication result is unsuccessful, the same subtraction is not performed. This is in consideration of a user who accesses the access destination website without considering the risk even if the access destination website is suspicious. Even if a user with a low security level is warned that the accessed website is suspicious, it is conceivable that the user will access the website without considering the risk. On the other hand, if the access is stopped without breaking through the additional authentication, it is presumed that the risk of the accessed website is taken into consideration. From the nature of the additional authentication result described above, it is inferred that the reliability of successful authentication is higher than the reliability of authentication failure. For the above reasons, in the case of the authentication breakthrough, the feedback value that is not obtained when the authentication is not broken is subtracted, thereby reflecting the reliability of the additional authentication.

The number of correct answers 205 is mainly used when an authentication fails to determine whether or not the failure is due to a human error. For example, when authentication fails, if it is intended, it is presumed that the character string requested for authentication breakthrough is greatly deviated by inputting nothing or inputting an appropriate character. On the other hand, the unintended one (human error) is an input that has been tried to break through but has been missed, so it is presumed that the input does not deviate significantly from the character string requested for breaking through the authentication. As described above, whether or not the authentication failure is due to a human error appears in the number of correct answers for the character string requested for authentication breakthrough, and therefore the information is used.

The site information display presence / absence 206 is mainly used to verify the certainty of the user's authentication result. As described above, the Web access control device 101 has a function of additionally acquiring and displaying information on the access destination Web site in response to the user's request when the user is requested to perform additional authentication. It is presumed that the user who requested the information is a user with high security awareness who requests additional information and tries to judge the nature of the accessed website from various angles, and the judgment at that time is added. Since it is based on the information, it is presumed to be more reliable than the judgment without looking at the additional information. As described above, since the site information display presence / absence 206 is useful for verifying the reliability of the user's authentication result, the information was used.

FIG. 12 is a diagram showing a processing flow of the weight update program 114. As shown in FIG. 12, when the feedback value executed by the CPU 103 and reflected in each malignancy estimator 124 constituting the website malignancy determination program is received from the feedback value calculation program 113, the process is started (step 1201). ..

The weight update program 114 sets an initial value of 0 in the variable i meaning the ID of the malignancy guesser 124, and proceeds to step 1203 (step 1202).

The weight update program 114 refers to the additional authentication history 115 and the guesser management table 116, and proceeds to step 1204 after acquiring the guess result and the authentication result of the guesser whose ID is the variable i (step 1203).

The weight update program 114 compares the estimation result of the guesser whose ID is the variable i obtained in step 1103 with the authentication result, and if they match, the process proceeds to step 1205, and if they do not match, step 1206 is performed. Proceed to (step 1204).

The weight update program 114 adds the weight of the guesser whose ID is the variable i according to the value received from the feedback value calculation program 113, and the weight of the guesser recorded in the guesser management table 116 is added. After updating to the value, the process proceeds to step 1207 (step 1205).

The weight update program 114 subtracts the weight of the guesser whose ID is the variable i according to the value received from the feedback value calculation program 113, and the weight of the guesser recorded in the guesser management table 116 is subtracted. After updating to the value, the process proceeds to step 1207 (step 1206).

The weight update program 114 adds 1 to the variable i and proceeds to step 1203 (step 1207).

The weight update program 114 compares the variable i with the number of guessers that can be obtained by referring to the guesser management table 116, and if the variable i is less than the number of guessers, returns to step 1203 and determines the number of guessers. If the value is exceeded, the process proceeds to step 1209 (step 1208).

The weight update program 114 normalizes the weights of each malignancy guesser 124 recorded in the guesser management table 116 so that the sum of the weights of the guessers becomes 1, and ends the process (step 1209).

FIG. 13 is a diagram showing an example of an additional authentication screen displayed by the additional authentication request program 110. As shown in FIG. 13a, only when an additional authentication screen is displayed and the additional authentication in the screen is exceeded when an attempt is made to access a website showing a malignancy equal to or higher than the threshold by the access destination website malignancy determination program. , Allow access to the website. The additional authentication screen includes a warning message 1301 that the access destination website is suspicious, a character string display field 1302 for additional authentication, an additional authentication character string input form 1303, an additional authentication character string transmission button 1304, and the addition. It is composed of an information request button 1305. Only when it is determined that the website is not malicious, the user correctly inputs the character string shown in the character string display field 1302 for additional authentication in the additional authentication character string input form 1303, and presses the additional authentication character string transmission button 1304. By pressing it, access can be continued. Further, when the user has difficulty in determining whether or not access is possible, by pressing the additional information request button 1305, additional information for the determination can be acquired and displayed. An example of the screen after the additional information is displayed is shown in FIG. 13b. The additional authentication screen after the additional information is displayed is composed of the website information display field 1306 and the website thumbnail display field 1307. In the website information display field 1306, public information about the access destination website such as whois information and DNS information is displayed. In the website thumbnail display field 1307, a thumbnail when actually accessing the access destination website is displayed as an image. Based on this information, the user determines whether or not to access the access destination website.

In addition, you may change a part of this Example and carry out as follows.

Even if the final prediction result of the malignancy of the access destination website is equal to or less than the threshold value, if one or more guessers calculate the high malignancy, additional authentication may be requested. This makes it possible to incorporate into the website malignancy determination program 109 even a guesser that specializes in detecting specific malignant sites that tend to have less weight due to their low versatility. Therefore, detection omission can be suppressed.

In addition, the difficulty level of additional authentication may be increased or decreased depending on the value of the degree of malignancy. For example, if the malignancy is relatively low, only button clicks may be performed, and if the malignancy is high, CAPTCHA authentication may be performed. As a result, it is possible to suppress the load on the user's authentication for a gray site rather than benign.

Further, the additional authentication result of the user after verification may be treated as correct answer data (Ground Truth), and each time the data is given, the additional authentication result may be sequentially learned and used as teacher data for online learning to build a model. This makes it possible not only to optimize the weight given to each guesser, but also to optimize the guesser itself.

Further, the present invention is not limited to the above-described embodiment as it is, and at the implementation stage, the components can be modified and embodied within a range that does not deviate from the gist thereof. In addition, various inventions can be formed by an appropriate combination of the plurality of components disclosed in the above-described embodiment. For example, some components may be removed from all the components shown in the embodiments. Furthermore, components over different embodiments may be combined as appropriate.

This embodiment includes the Web access control device 101 according to the first embodiment, and pays attention to the time-series change of the weight when updating the weight given to the malignancy guesser 124, and weights in a more suitable form. It is a Web access control device having a function of giving.

In the second embodiment, attention is paid to the time-series change of the weight of the guesser, and when the change of the weight shows a different tendency from the past, the update of the weight is suspended. For example, it is inferred that the potentially accurate guesser weights continue to increase monotonically and the rising value converges to a saturated value, but if the user's authentication result is different from what it should be, it is monotonous. The weight that has increased or converged to a constant value tends to decrease. By detecting this change point and suspending the update of the weight in that case, it is possible to determine whether the fluctuation of the weight is correct or the noise due to the user's authentication error, etc., and suppress the improper weight increase / decrease. , It is possible to suppress a decrease in the determination accuracy of the website malignancy.

FIG. 14 is an example of the weight update flow in this embodiment. The same components as those in the first embodiment are designated by the same reference numerals, and the description thereof will be omitted. Hereinafter, the differences from the first embodiment will be mainly described.

In addition to the flow shown in FIG. 12, the weight update program 114 has a processing flow focusing on the time-series change at the time of weight update. Specifically, in step 1204, it is verified whether or not the estimation result of the guesser and the authentication result match, and when the flow is branched to add / subtract weights, the actual weights are changed over time. It has steps 1210 and 1211 for determining whether to add / subtract weights to. Hereinafter, the processing contents of steps 1210 and 1211 will be described.

The weight update program 114 acquires the time-series change of the weight of the guesser whose ID is the variable i with reference to the guesser management table 116 corresponding to the guesser. Further, if the weights are added, it is verified whether the tendency of the weight change is different from the previous one, and if the tendency different from the previous change is found, the process proceeds to step 1207 in order to suspend the weight update. If the change in weight does not show a different tendency, the process proceeds to step 1205 (step 1210).

The weight update program 114 acquires the time-series change of the weight of the guesser whose ID is the variable i with reference to the guesser management table 116 corresponding to the guesser. Further, if the weight is subtracted, it is verified whether the tendency of the weight change is different from the previous one, and if the tendency different from the previous change is found, the process proceeds to step 1207 in order to suspend the weight update. If the change in weight does not show a different tendency, the process proceeds to step 1206 (step 1211).

Further, the present invention is not limited to the above-described embodiment as it is, and at the implementation stage, the components can be modified and embodied within a range that does not deviate from the gist thereof. In addition, various inventions can be formed by an appropriate combination of the plurality of components disclosed in the above-described embodiment. For example, some components may be removed from all the components shown in the embodiments. Furthermore, components over different embodiments may be combined as appropriate.

101: Web access control device 108: Access relay program 109: Website malignancy determination program 110: Additional authentication request program 111: Access destination information acquisition program 112: List update program 113: Feedback value calculation program 114: Weight update program 115: Additional authentication history 116: Estimator management table 117: Estimator weight history 118: Gray list 119: Black list 120: White list 121: User terminal 123: Internet 124: Malignancy estimator

Claims (8)

A Web access control device that connects to a terminal operated by a user via a network.
Holds the weights corresponding to each of the multiple guessers that infer the malignancy of the accessed website,
A website malignancy determination unit that estimates the malignancy of the access destination website using each of the plurality of guessers and integrates each of the estimated malignancy based on the weight.
When an access to a website whose integrated malignancy is higher than a predetermined threshold is detected, the user is requested to perform additional authentication to determine whether or not to access the website, and the authentication result of the additional authentication is acquired. , Additional certification request section,
A feedback value calculation unit that calculates a feedback value based on the authentication result,
A weight update unit for updating the weight of each of the plurality of guessers is provided.
The weight update unit is
For each of the plurality of guessers,
Based on the degree of malignancy estimated by the guesser, the judgment result indicating whether the website is malignant or benign by the guesser is acquired.
If the determination result is malignant and the authentication result is successful, or if the determination result is benign and the authentication result is unsuccessful, it is determined that the determination result and the authentication result do not match. ,
If the determination result is malignant and the authentication result is unsuccessful, or if the determination result is benign and the authentication result is successful, it is determined that the determination result and the authentication result match.
If the determination result and the authentication result do not match, the weight of the guesser is subtracted based on the feedback value.
If the determination result and the authentication result match, the weight of the guesser is added based on the feedback value.
A Web access control device characterized by this. The Web access control device according to claim 1.
When the result of the additional authentication is successful, the feedback value calculation unit calculates the feedback value based on a value obtained by subtracting a predetermined initial value greatly as the time until the authentication in the additional authentication succeeds becomes longer. Web access control device characterized by The Web access control device according to claim 1.
Equipped with an access destination information acquisition department
When the additional authentication request unit receives a request for additional information including at least one of a thumbnail image of a website having a malignancy higher than a predetermined threshold, whois information, and DNS information, the access destination information acquisition unit A Web access control device characterized by acquiring and outputting the additional information from the website. The Web access control device according to claim 3.
The feedback value calculation unit is
If the result of the additional authentication is successful,
A value obtained by subtracting a predetermined initial value greatly as the time until the authentication in the additional authentication succeeds becomes longer is calculated.
When the access destination information acquisition unit outputs the additional information, the calculated value is calculated as the feedback value.
A Web access control device characterized in that when the access destination information acquisition unit outputs the additional information, a value obtained by reducing the calculated value by a predetermined ratio is calculated as the feedback value. The Web access control device according to claim 3.
The feedback value calculation unit is
If the result of the additional authentication is unsuccessful
If a time-out occurs in the additional authentication, a predetermined initial value is calculated as the feedback value.
When the additional authentication does not time out and the access destination information acquisition unit outputs the additional information, the feedback value is calculated based on the value obtained by reducing the predetermined initial value by a predetermined ratio. A featured Web access control device. The Web access control device according to claim 5.
When the result of the additional authentication is a failure, the time-out does not occur in the additional authentication, and the access destination information acquisition unit outputs the additional information, the feedback value calculation unit sets the predetermined initial value to the predetermined value. A Web access control device, characterized in that the value reduced by the ratio of the above is calculated as the feedback value by further reducing the value according to the number of correct answers of the input characters in the additional authentication. The Web access control device according to claim 1.
A time series of changes in the weights of each of the plurality of guessers is maintained.
The weight update unit is
For each of the plurality of guessers,
When the determination result by the guesser matches the authentication result of the additional authentication, and when the weight of the guesser is subtracted based on the feedback value, the weight of the guesser is referred to with reference to the time series. If it is determined that there is no change in the tendency of the time-series change of the increase or decrease of, the weight of the guesser is subtracted based on the feedback value.
When the determination result by the guesser matches the authentication result of the additional authentication, and when the weight of the guesser is subtracted based on the feedback value, the weight of the guesser is referred to with reference to the time series. A Web access control device comprising adding the weight of the guesser based on the feedback value when it is determined that there is no change in the tendency of the time-series change of the increase or decrease of. It is a Web access control method using a Web access control device that connects to a terminal operated by a user via a network.
Holds the weights corresponding to each of the multiple guessers that infer the malignancy of the accessed website,
The malignancy of the access destination website is estimated using each of the plurality of guessers, and each of the estimated malignancy is integrated based on the weight.
When an access to a website whose integrated malignancy is higher than a predetermined threshold is detected, the user is requested to perform additional authentication to determine whether or not to access the website, and the authentication result of the additional authentication is acquired. ,
Based on the authentication result, the feedback value is calculated.
Update the weights of each of the multiple guessers,
In updating the weights of each of the plurality of guessers,
Based on the degree of malignancy estimated by the guesser, the judgment result indicating whether the website is malignant or benign by the guesser is acquired.
If the determination result is malignant and the authentication result is successful, or if the determination result is benign and the authentication result is unsuccessful, it is determined that the determination result and the authentication result do not match. ,
If the determination result is malignant and the authentication result is unsuccessful, or if the determination result is benign and the authentication result is successful, it is determined that the determination result and the authentication result match.
If the determination result and the authentication result do not match, the weight of the guesser is subtracted based on the feedback value.
If the determination result and the authentication result match, the weight of the guesser is added based on the feedback value.
A Web access control method characterized by this.

Images